Internal

Chinese Chapter Status Report (Period Apr 2007 to Dec 2008)

The Honeynet Project Chinese Chapter Status Report (Period Apr 2007 to Dec 2008)ORGANIZATION
1. Changes in the structure of your organization.
All members of Chinese Chapter (i.e. The Artemis Project) are still from ERCIS, Institute of Computer Science and Technology, Peking University, China. Although we are seaking for contributors from other organizations.
The structure of Chinese Chapter has minor change during the last period. Now we have 2 faculties, 2 staffs, 6 master students and 2 undergraduate students. Jianwei Zhuge and Chengyu Song are Full Members of the Honeynet Project. The size of Chinese Chapter will remain stable within 5 faculties/staffs and 10 students in the next several years.
We are seeking for experienced Chinese researchers or developers to join our team, we provide full-time job positions, Ph.D. and Master student programs of Peking University, and intern positions.

2. List current chapter members and their activities

1) Jianwei Zhuge: Team Leader, Assistant Professor, research and development focusing on measurement of emerging Internet threats, malware analysis and defense

2) Xinhui Han: Team Manager, Senior Engineer

3) Chengyu Song: Master Student, research and development of malware dynamic analysis techniques based on lightweight sandbox and kernel API hooking, research on honeypot monitoring technique.

1) Autonomous Spreading Malware measurement, see our ICICS'07 paper, and FIRST'08 paper on Matrix for detail. With the help of the Matrix Chinese distributed honeynet integrating Nepenthes, HoneyBow and GenIII Honeynet, we had a hit count of about 1,244,000 autonomous spreading malware infections. The hit count specifies the total number of downloaded samples, i.e., how often we successfully captured a binary, disregarding multiple copies of the same binary. As a metric for uniqueness we use the MD5sum. Using this metric, we collected nearly 180,000 unique sample binaries during the measurement period of twelve months (Year 2007). This means that we have on average about 3,408 collected and 496 new unique binaries per day.

2) Botnets measurement, see our Botnet measurement TR, and FIRST'08 paper on Matrix for detail. One of the most important applications of our Chinese Matrix Distributed Honeynet is the measurement on IRC-based Botnets, which are very common on the Chinese Internet. We have discovered 2,687 unique botnets on the China public Internet during the whole year of 2007. Uniqueness is defined in this context as a unique combination of DNS name, port number and channel name.

3) Malicious websites measurement, see our WEIS'08 paper for detail.Based on the malicious websites measurement setup based on high-interaction client honeypots, we identified a total of 2,149 malicious websites (i.e. 1.49%) from 144,587 distinct hosts which represent the most commonly visited websites by normal Chinese Internet users.

RESEARCH AND DEVELOPMENT
1. List any new tools, projects or ideas you are currently researching or developing.

2) Sebek Win32 version, several bugs including sys_socket accept event miss reported as connection, incorrect ProcessID for accept event, GetProcessInfo may cause BSOD when target process' PEB has been paged out and several memory leak problem have been busted and fixed. The improved version is still under testing and we plan to take the responsiblity of maintaining Sebek Win32 version after the workshop.

3) phoneyc, two functions are added. The first one is recursive embeded link analysis, i.e. when meets a iframe or frame tag, new PageParser will automatically download that page, parse it and merge it into the base page. The second one is script output analysis: when meets a script end tag, new PageParser will execute self.js_body collected so far and treat the output as a new page which will be parsed and merged; the javascript file included by script tag will also be automatically downloaded and appended to the js_body.

4) Argos, a HIDS powered by dynamic taint analysis from Virje University. The original version only supports NE2000 ethernet adapter which is not compatible with Sebek Win32 version and the only compatible adpater PCNet does not have dynamic taint function. So we add this function to the PCNet ethernet adapter emulator.

3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
Not currently.

4. Explain what kind of help or tools or collaboration you are interested in.
We have proposed Sebek improvement project, to improve current Sebek with better stability and invisibility, we propose two different honeypot monitoring solutions for both commonly used high-interaction honeypot deployment approaches. Firstly, we propose to improve current Sebek win32 version to provide Direct-on-System honeypot monitoring solution for both physical honeypot deployment and virtual machine honeypot deployment. Secondly, we will research and prototyping Virtualization-based honeypot monitoring solution for virtual machine honeypots.FINDINGS

2) For malware analysis, we use our former HoneyBox platform and current MwAnalyzer platform.

3) For IRC based BotNet tracking, we use our own developed HoneyBot tool. For HTTP-based BotNet tracking, we use our own developed tracking scripts.

4) For malicious website analysis and measurement, we use our home-made high-interaction honeypot system integrating MwSniffer, MwScanner and HoneyBow.

4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
We are experimenting with some kinds of data analysis techniques such as cluster analysis (and further root cause analysis), baseline analysis and correlation analysis, aiming to provide practical methods for identifying high-level attack events from the huge dataset collected by the distributed honeynet. We think such high-level data analysis methods (integrating with low-level data analysis techniques and drill-in mechanisms) need further research and development, especially for the distributed honeynet deployment such as GDH and Matrix.PAPERS AND PRESENTATIONS
1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)
English Papers

16. T. Lu, Z. Chen, J. Zhuge, X. Han, and W. Zou, Research and Implementation of Network Attack Flow Redirection Mechanism in the Honeyfarm Environment, accepted by CCICS'09. Be nominated to Journal of Nanjing University of Posts and Telecommunications.

2. Are you looking for any data or people to help with your papers?
We collaborated with Thorsten Holz of German Honeynet Project on three papers, and successfully got two of them accepted by academic conferences (WEIS'08 and ICICS'07), and another one released as Joint Technical Report. Thorsten helped us much on the paper writing and reviewing.
We are looking for further collaboration with him and/or other researchers on co-authoring academic or technical papers, especially on malware analysis, web-based malware detection and measurement, and exploit detection/analysis.

1. Which of your goals did you meet for the past year?
1). We have finished the project on automatic malware analysis tool successfully, designed and developed an integrated malware automatic analysis platform, including static analysis/signature generation (Anity labs), dynamic analysis (Artemis) and network analysis (CCERT). We developed a feather-weight virtual machine based sandbox, for parallel dynamic analysis of large amount of malware samples on a single native host. No open publications available yet, add oil Chengyu and Zhiyin :).
2). We have enlarged Matrix Chinese Distributed Honeynet system to have up to 50 honeynets and up to 200 honeypots distributed at more than 30 provinces in China. The system has become one of the Internet threats measurement infrastructures for CNCERT/CC. Thanks CNCERT/CC to provide us such a great opportunity. Good job done, Jinpeng and Qiushi.
3). We have got further funds from CNCERT/CC on a botnet and malicious website measurement project. We also wrote proposals for NSFC funds and other funding opportunities, two failed and one (only several thousand dollars) success. We need big funds or donations to obtain necessary resources, to cover our expenses, and to improve the salary level for staff members, also subsidy level for the students. Funding or donation information goes to Jianwei please.
4). We have published 15 papers and articles during this period (since Apr 2007 to Dec 2008), including 5 conference papers and 1 technical report in English, 6 journal and conference papers in Chinese, and another 3 magazine articles. Another 3 papers accepted or on submission. More members presented at various conferences, workshops and seminars. Thanks Thorsten Holz for help with co-authoring papers.
5). Based on our Seminar on Hacking Analysis and Forensics during the past whole academic year, Jianwei Zhuge teaches a course "Network Hacking and Defense: Technology and Practice" for the graduate and senior undergraduate students majoring in Computer Science.

2. Goals for the next year.
1). Finish the current funded projects successfully, and seek for future funds and/or donations. We need funds and resources to maintain and enlarge our team for further research and development.
2). Deeper and harder research and development, and get at least one paper accepted by the rank A/rank A+ academic journals and conferences. Collaboration proposal on co-authoring papers are welcome, drop Jianwei a line.
3). Help CNCERT/CC and other security organizations in China to build Internet threats measurement and response solutions and systems. Especially on Web-based Malware.
4). Further development and research on honeypot monitoring techniques (Sebek).MISC ACTIVITIES
1) Translated the new KYEs into Chinese.
2) Due to Jianwei's efforts, our institute ([email protected]) received the software donation (MSDN Developer Academic Alliance 1 year) from Microsoft. Thanks Microsoft and Ms. Na Zeng.